6

I am planning to mirror some traffic on an ASA 5510 running version 9.1. this traffic is mostly internet data which cannot exceed 30 Mbps.

what impact could this SPAN operation cost me on performance ? and is there any security concerns when trying this on a firewall ?

Hamdi Kadri
  • 147
  • 2
  • 12
  • Could you tell us what you're trying to do? Do you need to capture everything going into a port, or are you only interested in certain IP addresses? How much data needs to be captured? – Mike Pennington Nov 21 '13 at 19:08
  • I need just to capture Internet traffic, which is limited to 30Mbps, WAN traffic won't be mirrored. – Hamdi Kadri Nov 21 '13 at 20:52

2 Answers2

5

what impact could this SPAN operation cost me on performance ?

If you are referring to a possible performance penalty on your firewalls ability to process packets, then there shouldn't be any for this simple of an operation. The only time that would come into play is if you begin setting up multiple filters to inspect packet headers in real-time on multiple SPAN ports.

By the sounds of it, you're only looking to SPAN traffic egressing your network onto a specific port.

and is there any security concerns when trying this on a firewall ?

The only real security concern is where that SPAN port's destination is (i.e. the server). Secure the server and you're good to go.

Something to note, this is a fairly common method of intrusion detection.

Ryan Foley
  • 5,479
  • 4
  • 23
  • 43
4

I'm pretty sure you can't SPAN on any ASA except 5505 since it has a real switch.

Mike
  • 54
  • 1
  • Correct. Although he could use a [capture](http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml) on the other models (limited to a 32MiB buffer). – some_guy_long_gone Nov 22 '13 at 02:42
  • Thanks guys, I found out that span is not possible on 5510, so I will use a separate switch to get the job done. Since I use a lot of 5505 in other installations, this could help me anyway. :) – Hamdi Kadri Nov 22 '13 at 07:18